10/1996 Access Request
A man made an access request to a public sector data controller, principally with a view to establishing how it had recorded and dealt with a series of contacts that he had had with it. He supplied the data controller with a considerable amount of detail of dates and times when he had made these contacts.
The data controller responded in due course with a certain amount of information but the data subject did not accept the response as adequate. He made a formal complaint to my Office.
In view of the detail that the complainant had given the data controller when he made his access request, I decided that a thorough investigation was necessary. With the full co-operation of the data controller, my staff conducted an extensive examination of its computers (involving four visits to the data controller’s offices which altogether took about fifteen hours).
The investigation found a number of items of data relating to the complainant that he had not been given, and the data controller readily agreed to give them to him together with some explanations of codes contained in what he had been given already (section 4 of the Act requires that data given in response to an access request should be accompanied by an explanation of any terms that are not readily intelligible). My decision in this case was that the data controller had failed to comply with its obligation to give a full response to the complainant’s access request within forty days of getting it, but had subsequently (as a result of my investigation) given him all that he was entitled to.
The complainant had alleged that the data controller had wilfully withheld data in its initial response to his access request, but I found no evidence to suggest that that had been the case. What did emerge was that there were deficiencies in the data controller’s procedures for dealing with access requests. In this particular case, the task had been given to junior staff who did not properly understand what was involved and therefore did not carry out an adequate search of the relevant data holdings. The data controller acknowledged the need for better procedures and undertook to put them in place.